WordPress Plugin Vulnerabilities

Custom Product Tabs Lite for WooCommerce < 1.9.1 - Authenticated (Shop Manager+) PHP Object Injection

Description

The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the 'frs_woo_product_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
woocommerce-custom-product-tabs-lite
Fixed in 1.9.1

References

CVE
CVE-2024-12600
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/33c16b47-3202-4f26-bf45-98172b8cac45

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
4fe1aaff-6b72-42b7-8ccf-7afa9eedf594

Timeline

Publicly Published
2025-01-24 (about 1 year ago)
Added
2025-01-24 (about 1 year ago)
Last Updated
2025-01-25 (about 1 year ago)

Other

Published
Title
Published
2025-09-04
Title
Single Property <= 2.8 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-08-08
Title
Connector for Gravity Forms and Google Sheets < 1.2.7 - Unauthenticated PHP Object Injection
Published
2025-09-03
Title
LTL Freight Quotes – Daylight Edition < 2.2.8 - Authenticated (Administrator+) PHP Object Injection
Published
2025-08-19
Title
White Rabbit <= 1.5.2 - Unauthenticated PHP Object Injection
Published
2025-09-03
Title
LTL Freight Quotes – Day & Ross Edition < 2.1.12 - Authenticated (Administrator+) PHP Object Injection